TLP:CLEAR — This version of the report is approved for public sharing and may be redistributed with attribution.
Summary: This is a maximum-severity (CVSS 10.0) unauthenticated Remote Code Execution (RCE) vulnerability in n8n, a popular workflow automation tool. The flaw stems from “Content-Type Confusion” in the webhook parser. By modifying the request header (switching from multipart/form-data to application/json), an attacker can bypass validation and trick the server into reading arbitrary local files—such as the internal SQLite database containing user credentials. Once the database is read, the attacker extracts the admin session secrets, forges an admin cookie, and uses n8n’s own “Execute Command” node to take full control of the server.
**🔗 Link to article** https://www.infosecurity-magazine.com/news/maximum-severity-ni8mare-bug/
Why We Picked This: n8n is the definition of “Shadow IT” infrastructure. It is increasingly used by non-technical “everyday people” and marketing teams to automate sensitive tasks, meaning it often bypasses standard corporate patching cycles.
The Hidden Risk: An n8n server is a “skeleton key.” It usually holds API tokens for other critical services (Stripe, AWS, CRM, Slack). Compromising the n8n instance grants the attacker immediate lateral movement into all connected platforms.
Operational Context: This isn’t just a software bug; it’s a governance failure. Security teams often don’t even know these instances exist on their network.
Classification:
Category: Infrastructure Abuse / Shadow IT / Application Security
Verticals Impacted: All (Sector Agnostic)
Type of Intel: ⚡ Operational
Noted TTPs:
Content-Type Confusion: Manipulating headers to bypass input validation.
Arbitrary File Read: Exfiltrating internal configuration files (
database.sqlite).Session Forgery: Crafting admin cookies using stolen secrets.
Living off the Land (App-Layer): Using the tool’s legitimate features (”Execute Command” node) for malicious execution.
🛠 Final Notes
We write these for the analyst trying to triage 20 open tabs, the blue-teamer who needs to pivot fast, and the CISO who wants to understand why this matters without reading 3 emails or articles. If you’re one of them, you’re why we’re here.
We’ll be publishing deep-dive reports, enriched IOCs and more for paid members. Need a complete system to track threats and streamline your intelligence workflow 👉 Check out the IndigoINT Threat Intelligence Marketplace
❤️🔥 Remember, in the dark we are all the same. ❤️🔥
— Yasmine | IndigoINT
Appendix
Extra Sources used:
Threat Hunting Platform | C2 & Malicious Infrastructure Hunting
Explore the leading Threat Hunting Platform, discover active C2 servers, perform proactive infrastructure hunting and…hunt.io
Tools Used for additional intelligence:
Free Threat Intelligence Tool - IndigoINT
📝 Disclaimer
IndigoINT may use AI tools to assist with formatting, grammar, and low-level analysis support. All content is reviewed by a human analyst and undergoes internal peer review to ensure accuracy and integrity.
